Robert Ferney a écrit : > > I have 10 DSL routers with associated internet connections. > They are all configured to DNAT all traffic on their external > interface to one internal Router. > > I'm trying to DNAT all web traffic to a webserver at 192.168.7.4 > It is working for the first connection, but it fails on the remainder > What am I missing?

My guess is what you are missing is that the "un-DNAT" of the source address in the reply packets from the server takes place in POSTROUTING, too late for it to be taken into account by your routing rules, which affects only packets generated by the internal router.

So your internal router needs to know to which gateway the reply packets must be send (depending on which gateway the original packet came from) before the routing stage. This must be done in PREROUTING.

Here are two possible methods :

============================================================== 1) Match the original destination address of the incoming DNATed connection in the reply packets. This is done with the "--ctorigdst" option of the "conntrack" iptables match :

============================================================== 2) Mark the connections with the CONNMARK iptables target. This requires a kernel with connection mark support, i.e. at least version 2.6.10 or patched with patch-o-matic-ng.

This sets a "connection mark" on new _connections_ (not on individual packets) incoming on eth2 depending on the original destination address. Then copy the connection mark into the mark of reply packets incoming on eth0 :